The PHP null session is a vulnerability that enables the attacker to disclose the path of the executing scripts on the local file system.
What can happen?
Sometimes the path will expose which CMS it's running, which web server the site is using or other sensitive information.
If the web application is hosted under a local user account (such as /home/peter/htdocs/), a local username on the machine is also disclosed, which may open up for exploitation of services other than HTTP (for example SSH).
Example of PHP NULL session
Suppose you have a cookie for session handling: PHPSESSID. If you change its value to an empty string and if the targeted server doesn’t have any checks on its value, then it may result in errors disclosing paths like this:
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
Thus, giving attacker a clearer vision of website structure for a further exploitation.
Remediation
Always check if user supplied session is a valid one according to the session.hash_bits_per_character in your configuration. Disable printing of errors in the HTML output by configuring your php.ini. Set the display_errors value to Off.
Resources
- OWASP Full Path Disclosure
- PHP Configuration: ini.display_errors
- PHP Configuration: session.hash_bits_per_character